# Sample Metalog configuration file

maxsize  = 104857600  # size in bytes (1048576 = 1 megabyte)
maxtime  = 8640000    # time in seconds (86400 = 1 day)
maxfiles = 500        # num files per directory

# This will capture all of the internal log messages that metalog itself
# generates.  If you use any "command" options below, you will want this
# as metalog generates a lot of status messages whenever it executes a
# command and children processes exit.
#Metalog :
#
#  program   = "metalog"
#  logdir    = "/var/log/metalog"
#  break     = 1

# Uncomment and adjust the following lines according to your console logging
# needs.  If you want to only output things that were not caught by other log
# sections, move this to the end of the file.  Make sure this command is on
# your root partition if you have /usr mounted separately.  This script should
# merely write $@ to some device (your console for messages):
# echo "$@" > /dev/tty10
#
# Hint: you can control the consolelog.sh behavior in /etc/conf.d/metalog
#
#console logging :
#
#  facility  = "*"
#  command   = "/sbin/consolelog.sh"

Everything important :

    facility = "*"
    minimum  = 6000
    logdir   = "/var/log/everything"
#if break keyword does not appear, rules after here will be run.

Everything very important :

    facility = "*"
    minimum  = 1000
    logdir   = "/var/log/critical"

Password failures :

    regex    = "(password|login|authentication)\s+(fail|invalid)"
    regex    = "(failed|invalid)\s+(password|login|authentication|user)"
    regex    = "ILLEGAL ROOT LOGIN"
    logdir   = "/var/log/pwdfail"
#    command  = "/usr/local/sbin/mail_pwd_failures.sh"

Kernel messages :

    facility = "kern"
    logdir   = "/var/log/kernel"
    break    = 1

Crond :

    facility = "cron"
    logdir   = "/var/log/cron"
    break    = 1

Dudes firewalled by IPTrap :

    program  = "iptrap"
    logdir   = "/var/log/iptrap"
    break    = 1

FTP Server :

    facility = "ftp"
    logdir   = "/var/log/ftpd"
    break    = 1

News Server :

    facility = "news"
    logdir   = "/var/log/news"
    break    = 1

SSH Server :

    program  = "sshd"
    logdir   = "/var/log/sshd"
    break    = 1

#why the hell do you still run that thing !?
Telnet :

    program  = "login"
    logdir   = "/var/log/telnet"
    break    = 1

Imap :

    program  = "/usr/sbin/imapd"
    logdir   = "/var/log/imap"
    break    = 1

POP Toaster :

    program  = "/usr/sbin/ipop3d"
    logdir   = "/var/log/pop"
    break    = 1

# Add authenticated IP addresses for SMTP relaying :

#    program  = "/usr/sbin/ipop3d"
#    regex    = "Login.+nmsgs="
#    command  = "/usr/local/sbin/add_pop_address.sh"
#    break    = 1

Mail :

    facility = "mail"
    neg_regex= "starting daemon"
    logdir   = "/var/log/mail"
    break    = 1

# exim stuff - log output from every program whose name begins with
# "exim".
#
Exim :

    program_regex = "^exim"
    logdir        = "/var/log/exim"
    break         = 1

Ppp :
    program_regex = "^ppp"
    logdir    = "/var/log/ppp"
    break     = 1

Postgresql :
    program_regex = "^postmaster"
    program_regex = "^postgres"
    logdir    = "/var/log/postgres"
    break     = 1

Apache :
    program_regex = "^httpd"
    logdir    = "/var/log/http"
    break     = 1

HAL :
    program_regex = "^hal"
    logdir    = "/var/log/hal"
    break     = 1
